Use of Armed Force in Self-Defense under Article 51 of the UN Charter

V. Remedies Against Cyber Attacks 1. Resort to the UN Security Council

4. Use of Armed Force in Self-Defense under Article 51 of the UN Charter

a. When does a Use of Cyber Force amount to an “Armed Attack”?

Article 51 of the UN Charter provides that, “[n]othing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Na-tions, until the Security Council has taken measures necessary to main-tain international peace and security.” The state victim of a use of cyber force will thus be entitled to react in self-defense only to the extent that such use of cyber force can be qualified as an “armed attack”. In the Nicaragua case, the ICJ acknowledged that a definition of “armed at-tack” does not exist in the Charter and is not part of treaty law.¹³¹ The ICJ, however, made clear that Article 51 does not refer to specific weapons and that it applies to “any use of force, regardless of the weapons employed.”¹³² As seen above in the context of Article 2 para.

4,¹³³ the fact that cyber attacks do not employ traditional kinetic weap-ons does not necessarily mean they cannot be “armed”. As Zemanek notes, “it is neither the designation of a device, nor its normal use, which make it a weapon but the intent with which it is used and its

130 Delibasis, see note 45, 364.

131 ICJ Reports 1986, see note 64, 94 para. 176.

132 ICJ Reports 1996, see note 86, 244 para. 39.

133 Above, Part IV.

fect. The use of any device, or number of devices, which results in a considerable loss of life and/or extensive destruction of property must therefore be deemed to fulfil the conditions of an ‘armed’ attack.”¹³⁴ This conclusion is supported by the Security Council’s reaffirmation of the right to self-defense in response to the 11 September 2001 attacks on the United States, where the “weapons” employed were hijacked air-planes.¹³⁵

But are all uses of cyber force “armed attacks”? It is well-known that the ICJ identified “the most grave forms of the use of force”, i.e.

armed attacks, and less grave forms and adopted the “scale and effects”

criterion in order to distinguish them.¹³⁶ A commentator has tried to specify this criterion by arguing that an armed attack is, “an act or the beginning of a series of acts of armed force of considerable magnitude and intensity (i.e. scale) which have as their consequence (i.e. effects) the infliction of substantial destruction upon important elements of the target State namely, upon its people, economic and security infrastruc-ture, destruction of aspects of its governmental authority, i.e. its politi-cal independence, as well as damage to or deprivation of its physipoliti-cal ele-ment namely, its territory”, and the “use of force which is aimed at a State’s main industrial and economic resource and which results in the substantial impairment of its economy.”¹³⁷ Dinstein suggests some ex-amples of cyber attacks amounting to armed attacks: “[f]atalities caused by the loss of computer-controlled life-support systems; an extensive power grid outage (electricity blackout) creating considerable deleteri-ous repercussions; a shutdown of computers controlling waterworks and dams, generating thereby floods of inhabited areas; deadly crashes deliberately engineered (e.g., through misinformation fed into aircraft computers)” and “the wanton instigation of a core-meltdown of a reac-tor in a nuclear power plant, leading to the release of radioactive mate-rials that can result in countless casualties if the neighbouring areas are densely populated.”¹³⁸ On the other hand, disruption of communica-tions caused by a temporary DoS attack which does not result in

134 K. Zemanek, “Armed attack”, Max Planck Encyclopedia of Public Interna-tional Law, 2010, para. 21.

135 See S/RES/1368 (2001) of 12 September 2001 and S/RES/1373 (2001) of 28 September 2001.

136 ICJ Reports 1986, see note 64, 101 para. 191, 103 para. 195.

137 A. Constantinou, The Right of Self-Defence under Customary Interna-tional Law and Article 51 of the UN Charter, 2000, 63-64.

138 Dinstein, see note 31, 105.

nificant human losses or property damage would not amount to an armed attack, although it might be a use of force.¹³⁹

It is not clear against whose computers and computer networks the cyber attack should be directed in order to be considered an attack on the state. In a traditional attack, the fact that the target is military or ci-vilian does not make any difference. The state where the target is lo-cated would be entitled to self-defense because its territorial integrity has been violated. Hence, Dinstein correctly argues that, if a conven-tional armed attack against a civilian facility on the territory of the tar-get state would amount to an armed attack even if no member of the armed forces is injured or military property damaged, there is no reason to come to a different conclusion with regard to cyber attacks against civilian systems: “[e]ven if the CNA impinges upon a civilian computer system which has no nexus to the military establishment (like a private hospital installation), a devastating impact would vouchsafe the classifi-cation of the act as an armed attack.”¹⁴⁰ The fact that the computer net-work is run by a corporation possessing the nationality of a third state or that the computer system operated by the victim state is located out-side its borders (for instance, in a military base abroad) does not change the situation.¹⁴¹ When the damage caused to a certain state or its nation-als is however not intended (e.g., because the cyber attack was an acci-dent or the real target was another state),¹⁴² it is doubtful that self-defense can be invoked by the casual victim: according to the ICJ, an armed attack must be carried out “with the specific intention of harm-ing.”¹⁴³

139 Ibid. The view according to which stealing or compromising sensitive mili-tary information could also qualify as an armed attack “even though no immediate loss of life or destruction results” occur (C.C. Joyner/ C. Lo-trionte, “Information Warfare as International Coercion: Elements of a Le-gal Framework”, EJIL 12 (2001), 825 et seq. (855)) cannot thus be shared.

140 Dinstein, see note 31, 106.

141 Ibid., 106-107.

142 As Schmitt notes, “the attacker, because of automatic routing mechanisms, may not be able to control, or even accurately predict, the cyber pathway to the target”, which increases the risk of unintended consequences, Schmitt, see note 103, 56.

143 Case concerning Oil Platforms (Iran v. United States), ICJ Reports 2003, 161 et seq. (191 para. 64). It is not however clear whether the Court wanted to emphasize a general requirement for self-defense or it only intended to limit the requirement to that specific case, C. Gray, International Law and the Use of Force, 2008, 146.

Nonetheless, the problem is whether a cyber attack on the computer network of any civilian infrastructure could potentially amount to an armed attack (providing it satisfies the scale and effects criterion). It has been claimed, for instance, that, as Google is the most powerful pres-ence on the Internet, an attack on it would be an attack on the United States critical infrastructure.¹⁴⁴ There is no agreement, though, on what

“critical infrastructures” are. The UN General Assembly recognized that “each country will determine its own critical information infra-structures.”¹⁴⁵ The 1999 DoD’s Assessment of International Legal Is-sues in Information Operations, for instance, refers to a nation’s air traffic control system, its banking and financial system and public utili-ties and dams as examples of targets that, if shut down by a coordinated computer network attack, might entitle the victim state to self-defense.¹⁴⁶ The 2001 PATRIOT Act defines “critical infrastructure” as

“systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic secu-rity, national public health or safety, or any combination of those mat-ters.”¹⁴⁷ The 2003 United States National Strategy to Secure Cyber-space describes critical infrastructures as “the physical and cyber assets of public and private institutions in [...] agriculture, food, water, public health, emergency services, government, defense industrial base, infor-mation and telecommunications, energy, transportation, banking and finance, chemicals and hazardous materials, and postal and shipping.”¹⁴⁸ The United Kingdom Cyber Security Strategy refers to nine sectors that deliver essential services: energy, food, water, transport, communi-cations, government and public services, emergency services, health and finance.¹⁴⁹ The Australian government defines critical infrastructures as

“those physical facilities, supply chains, information technologies and

144 M. Glenny, “In America’s new cyber war Google is on the front line”, The Guardian, 19 January 2010, 32.

145 See, e.g., A/RES/58/199 of 23 December 2003.

146 DoD, An Assessment, see note 27, 16.

147 Public Law 107-56, 26 October 2001, Section 1016 (e). The text can be read at <http://fl1.findlaw.com/news.findlaw.com/cnn/docs/terrorism/hr3162.

pdf>.

148 United States National Strategy to Secure Cyberspace, see note 3, 1. See also The National Strategy for the Physical Protection of Critical Infrastruc-tures and Key Assets, February 2003, 35 <www.dhs.gov/xlibrary/assets/

Physical_Strategy.pdf>.

149 United Kingdom Cyber Security Strategy, see note 59, 9.

communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would adversely impact on the so-cial or economic well-being of the nation or affect Australia’s ability to ensure national security’’, in particular in the following sectors: “bank-ing and finance, communications, emergency services, energy, food chain, health (private), water services, mass gatherings, and transport (aviation, maritime and surface).”¹⁵⁰ Australia’s Cyber Security Strategy, however, also points out that systems of national interest “go beyond traditional notions of critical infrastructure” and include “systems which, if rendered unavailable or otherwise compromised, could result in significant impacts on Australia’s economic prosperity, international competitiveness, public safety, social wellbeing or national defence and security.”¹⁵¹ Finally, the Commission of the European Union defines critical infrastructures as “those physical resources, services, and infor-mation technology facilities, networks and infrastructure assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of Citizens or the effective functioning of governments.”¹⁵²

The problem of the identification of national critical infrastructures is further complicated by the fact that, in most countries, the majority of such infrastructures are owned by the private sector. At the end of the day, the notion of “critical infrastructure” is linked to that of “na-tional security”, which is equally difficult to define, both in domestic and international law.¹⁵³ International tribunals recognize a broad

150 Australia’s Cyber Security Strategy, see note 4, 20.

151 Ibid., 12. The Strategy acknowledges that “[t]he identification of systems of national interest is not a static process and [...] must be informed by an on-going assessment of risk” (ibid.).

152 <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2005:0576 :FIN:EN:PDF> EU Commission, Green Paper on a European Programme on Critical Infrastructure Protection, COM (2005) 576 final, 17 November 2005, 20. Critical information infrastructures are defined as those informa-tion and communicainforma-tion technologies “that are critical infrastructures for themselves or that are essential for the operation of critical infrastructures (telecommunications, computers/software, Internet, satellites, etc.)” (ibid., 19). An indicative list of critical infrastructure sectors includes energy, in-formation and communication technologies, water, food, health, financial, public and legal order and safety, civil administration, transport, chemical and nuclear industry, and space and research (ibid., 24).

153 Th. Christakis, “L’Etat avant le droit? L’exception de ‘sécurité nationale’ en droit international”, RGDIP 112 (2008), 5 et seq. (8-16).

gin of appreciation to states when it comes to determine what amounts to a threat to their national security, which “rend, en fin de compte, quelque peu vaine la recherche d’une définition objective et immutable du concept de «sécurité nationale».”¹⁵⁴

b. The Legal Requirements of the Reaction in Self-Defense against a Cyber Attack

The reaction in self-defense against cyber attacks amounting to armed attacks must meet the requirements of necessity, proportionality and immediacy.¹⁵⁵ Necessity means that the use of force is a means of last resort and that all other available means have failed or are likely to fail.

As a minimum, it implies an obligation to identify the author, verify that the cyber attack is not an accident and that the matter cannot be settled by less intrusive means (for instance, by preventing the hackers from accessing the networks and websites under attack through the use of cyber defenses). The major problem with using self-defense to react against a cyber attack is the identification of the aggressor.¹⁵⁶ Aware of this difficulty, certain commentators have suggested that responses in self-defense to a cyber attack against national critical infrastructures should be allowed even without first attributing and characterizing the attack. According to this view, “the law should permit an active re-sponse based on the target of the attack, regardless of the attacker’s identity.”¹⁵⁷ This position, however, cannot be accepted. Apart from be-ing at odds with the law of state responsibility, it is inherently illogical.

If it has not yet been established where the attack comes from and to whom it is attributable, against whom and where will the reaction be directed? Furthermore, as seen above, there is no generally accepted definition of “critical infrastructure”. Finally, if one accepts “active self-defense” with regard to cyber attacks, why should it not also apply to terrorist attacks by traditional weapons, when no final evidence of state support has been found? Indeed, the United States DoD correctly re-jects this view and argues that “the international law of self-defense would not generally justify acts of ‘active defense’ across international

154 Ibid., 15.

155 Y. Dinstein, War, Aggression and Self-Defence, 2005, 208-211.

156 See above, Part III.

157 Jensen, see note 53, 234-235. See also M. Hoisington, “Cyberwarfare and the Use of Force Giving Rise to the Right of Self-Defense”, Boston College International and Comparative Law Review 32 (2009), 439 et seq. (453);

Condron, see note 53, 415-416.

boundaries unless the provocation could be attributed to an agent of the nation concerned, or until the sanctuary nation has been put on notice and given the opportunity to put a stop to such private conduct in its territory and has failed to do so, or the circumstances demonstrate that such a request would be futile.”¹⁵⁸

As to proportionality, a response in kind might not be possible, ei-ther because the victim state does not have the technology to conduct a cyber attack or because the aggressor does not have a sufficiently devel-oped computer network to hit.¹⁵⁹ It is also doubtful whether a series of small-scale cyber attacks can be considered cumulatively when assessing the proportionality of the reaction. The doctrine of the accumulation of events, often invoked by Israel and the United States against terrorist attacks, is controversial.¹⁶⁰ In the Oil Platforms case, the ICJ did not expressly reject it, although the Court found it not applicable in the case before it.¹⁶¹

Finally, the requirement of immediacy reflects the fact that the ulti-mate purpose of self-defense is not punishing the attacker, but rather repelling the armed attack. This requirement must be applied flexibly, especially in the case of cyber attacks. If a state’s military computer network has been incapacitated by the cyber attack, it might take some time for it to be able to react in self-defense. Furthermore, if the aggres-sor uses logic or time bombs, the actual damage could occur well after the cyber attack, which might delay the reaction.

c. Anticipatory Self-Defense against a Conventional Attack Preceded by a Cyber Attack

Even when the use of cyber force does not reach the threshold of an

“armed attack”, the victim state might still be in a position to invoke anticipatory self-defense against an imminent attack through conven-tional means that the cyber operation aims to prepare.¹⁶² As mentioned above, for instance, right before the 2008 Russian invasion several Georgian governmental websites had already been the target of brief but debilitating cyber attacks that continued throughout the conflict.

The shutting down of crucial websites in particular severed

158 DoD, An Assessment, see note 27, 21.

159 Greenberg/ Goodman/ Soo Hoo, see note 112, 32.

160 Zemanek, see note 134, para. 7; Dinstein, see note 31, 109.

161 ICJ Reports 2003, see note 143, 191 para. 64.

162 Robertson, Jr., see note 89, 139.

cation from the Georgian government in the initial phase of the con-flict.¹⁶³ It also appears that the 2007 bombing by Israel of a nuclear fa-cility in Syria was preceded by a cyber attack that neutralized ground radars and anti-aircraft batteries.¹⁶⁴

In the Nicaragua case, the ICJ did not take position on the problem of anticipatory self-defense, since “the issue of the lawfulness of a re-sponse to the imminent threat of armed attack” was not raised.¹⁶⁵ Simi-larly, in the case concerning Armed Activities on the Territory of the Congo the Court expressed no view, as Uganda eventually claimed that its actions were in response to armed attacks that had already oc-curred.¹⁶⁶ However, the Court was aware that the security needs that Uganda aimed to protect were “essentially preventative”¹⁶⁷ and held that “Article 51 of the Charter may justify a use of force in self-defence only within the strict confines there laid down. It does not allow the use of force by a State to protect perceived security interests beyond these parameters.”¹⁶⁸

The crucial question is how imminent the armed attack is, which de-termines whether the reaction is anticipatory or preventive.¹⁶⁹ It ap-pears that a right to anticipatory self-defense against an imminent

163 CCDCOE Report, see note 22, 4-5, 15.

164 M. Glenny, “Cyber armies are gearing up in the cold war of the web”, The Guardian, 25 June 2009, <www.guardian.co.uk/commentisfree/2009/jun/

25/cybercrime-nato-cold-war>.

165 ICJ Reports 1986, see note 64, 103 (para. 194).

166 Armed Activities on the Territory of the Congo (DRC v. Uganda), ICJ Re-ports 2005, 168 et seq. (222 para. 143).

167 Ibid.

168 Ibid., 223 (para. 148).

169 Although the terminology is controversial, the present author will refer to self-defense against imminent attacks as “anticipatory” and to self-defense against non-imminent attacks as “preventive”. The doctrine of preventive self-defense was contained in the 2002 United States National Security Strategy (reaffirmed in 2006), that tried to expand the definition of “immi-nence” of armed attack to cover cases where “uncertainty remains as to the time and place of the enemy’s attack”, The National Security Strategy of the United States of America, 20 September 2002, <http://www.whitehouse.

gov/nsc/nss.pdf>, 15; the 2006 version is available at <http://www.white house.gov/nsc/nss/2006/nss2006.pdf>, 23. However, the doctrine of pre-ventive self-defense has no basis in international law, either customary or conventional, A. Cassese, International Law, 2005, 361; Gray, see note 143, 213.

armed attack is consistent not only with customary international law,¹⁷⁰ but also with Article 51 of the UN Charter.¹⁷¹ It is true that, under a lit-eral reading of this provision, the armed attack must “occur”, but, ac-cording to article 32 of the 1969 Vienna Convention on the Law of Treaties, the application of the article 31 criteria should not lead to an interpretation which is “manifestly absurd or unreasonable”. It is unre-alistic to expect that states will in all circumstances await an attack be-fore reacting. The rationale of self-defense is to avert an armed attack. If the danger is “instant, overwhelming, leaving no choice of means, and no moment for deliberation”,¹⁷² if, in other words, it is necessary to re-act in that very moment because otherwise it would be too late, the

Nel documento IV. Cyber Attacks and the Prohibition of the Threat and Use of Force in International Relations (pagine 30-39)